Skip to content

Commit

Permalink
Added an extra check to MLU bounds
Browse files Browse the repository at this point in the history 
Thanks to Ibrahim el-sayed for spotting the bug
  • Loading branch information
Marti committed Aug 15, 2016
1 parent 696d6b1 commit 5ca71a7
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions src/cmstypes.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU

// Check for overflow
if (Offset < (SizeOfHeader + 8)) goto Error;
if ((Offset + Len) > SizeOfTag + 8) goto Error;

// True begin of the string
BeginOfThisString = Offset - SizeOfHeader - 8;
Expand Down

2 comments on commit 5ca71a7

@yqxxbomb
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

没怎么看懂呵呵

@carnil
Copy link

@carnil carnil commented on 5ca71a7 Jan 25, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FTR, this is CVE-2016-10165

Please sign in to comment.